OrBit is a new undetected Linux threat that hijacks the execution flow by loading a malicious shared object and infects all running and upcoming processes. It provides remote SSH backdoor, harvests credentials, logs TTY commands, and persists via two methods (ld.so.preload and loader patching). #OrBit #Intezer
Keypoints
- OrBit is a new fully undetected Linux threat that can be installed as either a volatile implant or with persistence to infect all running and future processes.
- It hijacks the dynamic linker loading process using two methods: placing the malicious library via /etc/ld.so.preload and patching the loader binary itself.
- The dropper prepares an environment, creates a dedicated MALWARE_FOLDER, and can install the payload as persistent or volatile depending on the arguments.
- The payload is a shared object that hooks libc, libcap, and PAM to infect processes, harvest credentials, evade detection, and provide remote access.
- OrBit enables SSH backdoor functionality by hooking pam_open_session, pam_authenticate and pam_acct_mgmt to capture credentials and expose a remote connection.
- The malware uses extensive evasion and data-storage techniques (e.g., hardcoded GID, filtering outputs, and multiple data files) to avoid detection and to exfiltrate information locally.
MITRE Techniques
- [T1574] Hijack Execution Flow β The malware patches the dynamic linker and uses /etc/ld.so.preload to load the malicious library first. [βThe dropper calls a function called patch_ld. First, it reads the symbolic link of the dynamic linker /lib64/ld-linux-x86-64.so.2 and checks if the malicious payload is already loaded by searching for the path used by the malware.β]
- [T1059.004] Unix Shell β The payload invokes /bin/bash with interactive mode as part of its operation. [βThe payload below is saved in MALWARE_FOLDER/bin/escalatorβ and βimport os os.setreuid(0,0) os.execv(β/bin/bashβ, (β/bin/bashβ, β-iβ))β]
- [T1548] Abuse Elevation Control β The payload escalates privileges to UID 0 (root). [βos.setreuid(0,0)β]
- [T1021.004] Remote Services: SSH β The malware enables remote access by hooking PAM functions to facilitate SSH connections. [βOne of the capabilities of the malware is to set up a remote connection on the machine, it hooks 3 functions in the Pluggable Authentication Module library: pam_open_session, pam_authenticate and pam_acct_mgmt. By hooking these functions the malware is capable of stealing information from SSH connections and providing remote access to the attackers and hiding the network activity.β]
- [T1005] Data from Local System β The backdoor logs data generated by executed processes to local files. [βThe backdoor logs data that is being written by the executed processes on the machine. The data is stored at: MALWARE_FOLDER/sshpass2.txt and sniff.txt.β]
- [T1552.001] Credentials in Files β Credentials are stored in local files for theft or reuse. [βlogs the credentials to a file /lib/libntpVnQE6mk/sshpass.txtβ]
Indicators of Compromise
- [File path] /etc/ld.so.preload β used to preload the malicious library; examples include /lib/libntpVnQE6mk/.l and related patches. β and 2 more paths (e.g., MALWARE_FOLDER/.backup_ld.so)
- [File path] MALWARE_FOLDER/bin/escalator β payload executable; [File path] MALWARE_FOLDER/.profile
- [File path] MALWARE_FOLDER/.backup_ld.so β backup dynamic linker used to hide changes
- [File path] /lib/libntpVnQE6mk/ β directory used to store dropped files (e.g., .logpam, sshpass.txt, sshpass2.txt, .ports)
- [File path] /proc/net/tcp, /proc/loadavg, /proc/%PID%/maps, /proc/%PID%/smaps, /proc/%PID%/numa_maps β procfs files checked or filtered by the malware
- [Hash] 67048a69a007c37f8be5d01a95f6a026, ac89d638cb6912b58de47ac2a274b2fb β sample identifiers referenced in figures
- [GID] 0xE0B2E and 920366 β hardcoded group IDs used by the malware
Read more: https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/